What are the advantages and disadvantages of using a Java applet for authentication as part of a web application? I am think of cases where such an applet is only used for authentication and transaction-signing purpose and not otherwise in the web application.

2 Answers
2

As a best practice, an applet should only augment the server's capabilities in the context of authentication. The server ought to re-verify what has been sent by the applet (client), for the message could have been modified in transit.

There are times however where an applet may serve a valid purpose. For instance, messages sent by the client, may be digitally signed by the applet, with the keys being managed in per-user USB drives (containing the private keys). In such a context, the applet serves as a mechanism for accessing the JCA libraries in Java, apart from accessing the USB store. The signature produced will have to re-validated by the server on receipt of the message.

When implemented correctly, applets like any client-side security scheme will increase the security posture of an application.

When implemented incorrectly, it results in a security theatre where the server relies on the client to provide trusted input. Also, if one needs to perform privileged operations (like access drives containing private keys), then the applet must be signed; and an appropriate Java security policy file must be maintained. Any errors in the management process of the Java security model will obviously lower the security of the system. Also, if native OS specific APIs like MSCAPI have to be accessed, then deployment of native code (DLLs) is a pre-requisite, and the software (not the applet) responsible for doing so, must be coded securely.